[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Jelle de Jong
jelledejong at powercraft.nl
Mon Feb 14 16:22:48 UTC 2022
Hello everybody,
On 12/23/21 22:15, Jelle de Jong via samba wrote:
> On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:
>> Hello everybody,
>>
>> I had to downgrade samba on all my centos 8 systems this morning after
>> an upgrade made caused kerberos logins to stop working.
>>
>> yum downgrade samba -y
>>
>> it also downgraded sssd packages but only downgrading sssd did not work.
>>
>> How do I debug this further and does anyone encountered the same
>> problem and found a solution?
>>
>> Testing with the bellow command showed me:
>>
>> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan
>>
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism gse_krb5
>> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280
>> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410
>> gensec_update_done: gse_krb5[0x5590f7bb38e0]:
>> NT_STATUS_MORE_PROCESSING_REQUIRED
>> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]:
>> state[2] error[0 (0x0)] state[struct gensec_gse_update_state
>> (0x5590f7baa430)] timer[(nil)]
>> finish[../../source3/librpc/crypto/gse.c:859]
>> gensec_update_done: spnego[0x5590f7bad880]:
>> NT_STATUS_MORE_PROCESSING_REQUIRED
>> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2]
>> error[0 (0x0)] state[struct gensec_spnego_update_state
>> (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
>> SPNEGO login failed: The type of a token object is inappropriate for
>> its attempted use.
>> session setup failed: NT_STATUS_BAD_TOKEN_TYPE
>
> I went through the thread of Alex subject: [Samba] Authentication issue
> after updating samba on CentOS 7 (from yum)
>
> I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the
> problem came back.
>
> I then tried the adding the following options:
> local nt token from nss:DOMAIN = no
> and
> local nt token from nss:* = no
> but they did not work.
>
> This is my global config:
>
> [global]
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> disable spoolss = Yes
> kerberos method = dedicated keytab
> load printers = No
> log file = /var/log/samba/%m.log
> printcap name = /dev/null
> realm = DOMAIN.LAN
> security = USER
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = DOMAIN
> local nt token from nss:domain = no
> idmap config * : backend = tdb
> map acl inherit = Yes
> printing = bsd
> vfs objects = acl_xattr
>
> @Alex did you contact Andreas Schneider the RH maintainer?
>
> It can also be n issue related in one of the bellow packages as they
> also got downgraded with samba
>
> # yum downgrade samba -y
> ....
> Downloading Packages:
> (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> (2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> (5/46): ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> (6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> (7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> (8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> (9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm
> (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
> (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm
> (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm
> (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm
> (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm
> (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm
> (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
> (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm
> (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm
> (23/46): samba-4.14.5-2.el8.x86_64.rpm
> (24/46): samba-client-4.14.5-2.el8.x86_64.rpm
> (25/46): samba-common-4.14.5-2.el8.noarch.rpm
> (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm
> (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm
> (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm
> (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm
> (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm
> (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm
> (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm
> (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm
> (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm
> (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm
> (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm
> (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm
> (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm
> (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm
> (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm
> (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm
> (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm
> (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm
> (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm
> (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm
> (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm
I wanted to ask if anyone found a solution to kerberos auth breaking
with samba on centos / centos stream 8.
I had to upgrade many systems to stream 8 and had to downgrade samba
sevral times to have a working setup.
Downgraded:
ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
libipa_hbac-2.5.2-2.el8_5.1.x86_64
libsmbclient-4.14.5-2.el8.x86_64
libsss_autofs-2.5.2-2.el8_5.1.x86_64
libsss_certmap-2.5.2-2.el8_5.1.x86_64
libsss_idmap-2.5.2-2.el8_5.1.x86_64
libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64
libsss_simpleifp-2.5.2-2.el8_5.1.x86_64
libsss_sudo-2.5.2-2.el8_5.1.x86_64
libwbclient-4.14.5-2.el8.x86_64
python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64
python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64
python3-samba-4.14.5-2.el8.x86_64
python3-sss-2.5.2-2.el8_5.1.x86_64
python3-sssdconfig-2.5.2-2.el8_5.1.noarch
realmd-0.16.3-23.el8.x86_64
samba-4.14.5-2.el8.x86_64
samba-client-4.14.5-2.el8.x86_64
samba-client-libs-4.14.5-2.el8.x86_64
samba-common-4.14.5-2.el8.noarch
samba-common-libs-4.14.5-2.el8.x86_64
samba-common-tools-4.14.5-2.el8.x86_64
samba-libs-4.14.5-2.el8.x86_64
samba-winbind-4.14.5-2.el8.x86_64
samba-winbind-modules-4.14.5-2.el8.x86_64
sssd-2.5.2-2.el8_5.1.x86_64
sssd-ad-2.5.2-2.el8_5.1.x86_64
sssd-client-2.5.2-2.el8_5.1.x86_64
sssd-common-2.5.2-2.el8_5.1.x86_64
sssd-common-pac-2.5.2-2.el8_5.1.x86_64
sssd-dbus-2.5.2-2.el8_5.1.x86_64
sssd-ipa-2.5.2-2.el8_5.1.x86_64
sssd-krb5-2.5.2-2.el8_5.1.x86_64
sssd-krb5-common-2.5.2-2.el8_5.1.x86_64
sssd-ldap-2.5.2-2.el8_5.1.x86_64
sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64
sssd-proxy-2.5.2-2.el8_5.1.x86_64
sssd-tools-2.5.2-2.el8_5.1.x86_64
sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64
Complete!
More information about the samba
mailing list